#!/usr/bin/env bash
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# name: create-users.sh
# description:  adds test users defined in metadata or use default
#

# enable debug through -x and omit sensitive areas by turning off (set +x)
set -xeuo pipefail

ROLE=$(/usr/share/google/get_metadata_value attributes/dataproc-role)
readonly USER_SETUP_LIST=$(/usr/share/google/get_metadata_value attributes/user-setup-list)

# users list can be customized using metadata attribute user-setup-list.
# If not defined, the default users will be used.
# Any user with suffix "svc" will be treated as a non-human account and keytab
# distributed to analytics cluster under /etc/security/keytab/-svc.keytab where
# perms will be set for that non-human unix account to 400 with ownership set
# for only that account.
DEFAULT_USERS="jake,jarek,kamil,daniel,core-data-svc"

# Setup unix user account for example users
#  required to be created on all hadoop nodes when kerberized for application
#  tasks to run as end user account
function create_principals() {
  local users=${USER_SETUP_LIST}
  if [[ -z "${users}" ]]; then
    users=${DEFAULT_USERS}
  fi
  for i in ${users//,/ }; do
    create_principal "$i"
  done
}

# add hadoop paths for user
function create_principal() {
  local username=$1

  # create keytab for non-human service account - indicated by svc
  if [[ "${username}" == *"svc" ]]; then
    /usr/sbin/kadmin.local addprinc -randkey "${username}@${CLUST_REALM}"
    /usr/sbin/kadmin.local xst -norandkey -k "${username}.keytab" "${username}@${CLUST_REALM}"
    g_encrypt_secret "${username}.keytab"
    g_cp "${username}.keytab.encrypted" "${CLIENT_RESOURCES_PATH}/"
    rm "${username}.keytab.encrypted"
    rm "${username}.keytab"
  else
    set +x

    # default password of first 4 chars of username 123 for demonstration purpose
    local short
    short="$(echo "$username" | head -c 4)123"
    /usr/sbin/kadmin.local addprinc -pw "${short}" "${username}@${CLUST_REALM}"
    set -x
  fi
}

# encrypt keytab
function g_encrypt_secret() {
  local keytab_file=$1

  gcloud kms encrypt --ciphertext-file "${keytab_file}.encrypted" \
    --plaintext-file "${keytab_file}" --key "${KMS_KEY_URI}"
}

# log wrapper
function log_and_fail() {
  echo "[$(date +'%Y-%m-%dT%H:%M:%S%z')]: ERROR $*" >&2
  return 1
}

# gcs copy
function g_cp() {
  CMD="gsutil cp ${1} ${2}"
  ${CMD} || log_and_fail "Unable to execute ${CMD}"
}

function main() {

  if [[ "${ROLE}" == 'Master' ]]; then
    # create user/service principals for test scenario
    create_principals
  fi
}

main
